Hypertext Transfer Protocol (HTTP) is an application-level protocol over Transfer Control Protocol (TCP) for distributed, collaborative hypermedia information systems. HTTP is one of the most prevalent protocols for transferring data over a network, such as the Internet.
HTTP is considered generic, stateless protocol. In particular, HTTP is a simple request/reply (RR) protocol over TCP. Each HTTP message that a client sends to a server must contain all necessary information for the server to process it. This is effectively “service in mass production” since each HTTP request can be treated as generic and on its own merit.
In general, HTTP works by creating a new transport connection for each request. Using HTTP, a client sends a request to a server over the connection. The server then replies over the same connection, sending information about the response, and followed if possible by the requested data. The standard procedure when an HTTP request is done is to close the TCP connection (no explicit closing of the HTTP connection is necessary).
One of the limitations of HTTP is that it requires creating a separate connection for each request. A single HTTP connection cannot be used for many different requests. Instead, as noted above, HTTP uses stateless connections that are unique to each transaction. Unfortunately, this makes it difficult to include various security features on HTTP communications.
For example, digital signatures can be difficult to employ over HTTP communications. Typically, digital signatures have become a prominent way to secure information and use what is known as “public key cryptography,” which employs an algorithm using two different but mathematically related “keys;” one for creating a digital signature or transforming data into a seemingly unintelligible form, and another key for verifying a digital signature or returning a message to its original form. A digital signature is unique to both the message and the key used to create it.
Typically, a digital signature is attached to its message and stored or transmitted with its message. However, this requirement is difficult to employ in HTTP, because HTTP is a stateless protocol and does not provide a mechanism for including a security feature with a message. Since a digital signature should be unique to its message, it is useless if wholly disassociated from its message.
However, in view of the widespread acceptance of HTTP, Secure Sockets Layer (SSL) and S-HTTP have been developed to provide security for HTTP communications. SSL is a protocol that runs over HTTP and establishes a secure connection between two computers. S-HTTP is an extension of HTTP and is designed to send individual messages securely.
Unfortunately, HTTP, S-HTTP, and SSL are still not ideal for providing security features, such as digital signatures. Accordingly, it may be desirable to provide methods and systems for implementing security features with communications protocols, such as HTTP.